JJEE Volume 3, Number, 07 Pages 50-58 Jorda Joural of Electrical Egieerig ISSN (Prit: 409-9600, ISSN (Olie: 409-969 Liftig Based S-Box for Scalable Bloc Cipher Desig Based o Filter Bas Saleh S. Saraireh Departmet of Commuicatio ad Electroics Egieerig, Philadelphia Uiversity, Amma, Jorda e-mail: ssaraireh@philadelphia.edu.o Received: Jauary 30, 07 Accepted: April 7, 07 Abstract The security of data exchage is cosidered a sigificat problem. It requires the use of various cryptographic algorithms, such as stream cipher ad bloc cipher. The implemetatio of a secure cryptographic bloc cipher algorithm requires the geeratio of strog substitutio ad permutatio layers. These layers should satisfy the priciples of security (diffusio ad cofusio. The proposed liftig scheme substitutio box (s-box, which ca be used to implemet the substitutio layer i a filter ba bloc cipher structure to support the scalability ad security of the cipher. The cryptographic properties of the proposed s-box are studied, evaluated ad compared with Ridael s-box for the avalache criteria, strict avalache criterio (SAC, bit idepedet criterio (BIC, XOR table distributio, ad liear approximatio table (LAT. The results obtaied cofirm the security ad scalability of the proposed s-box. Keywords Avalache, Bloc cipher, Cryptography, Filter ba, Liftig, S-Box, Scalability. I. INTRODUCTION A Novel scalable bloc cipher structure based o filter bas over a fiite field was proposed by the authors i []. The substitutio layer combies the aalysis filter ba ad ovel liftig scheme s-box to address the scalability limitatios i existig bloc ciphers [] without icreasig complexity. This is achieved by exploitig the scalability ad high diffusio properties of the filter ba structures; the scalable cofusio via a udicious liftig scheme [] eables the security versus complexity versus performace trade-off to be made for a particular applicatio. Such trade-off is becomig icreasigly importat i emergig commuicatios systems. The liftig scheme beig reversible by structure reduces the boudary existece; also, predictio ad update liftig steps ca be either liear or oliear based o the applicatio. Hece, it allows oliearity to be itroduced i a regular, extedable ad simple form. These advatages of the liftig scheme mae it suitable to implemet a strog scalable s-box. To examie the stregth of the s-box, it is ecessary to study its cryptographic properties. I [3], parity chec bits were embedded i the output of the s-box of the modified DES cipher; the embedded process was applied to icrease the resistat of the cipher agaist liear cryptaalysis. The obtaied results showed that the embedded process did ot ehace the security of the modified DES cipher. The security of the modified DES cipher s-box was examied i [4]; each s-box of the modified DES was precoded separately ito eve weight codes of legth 4. The results were compared with the origial DES usig the same umber of rouds. I [5], the security of the s-boxes for RIJNDAEL, Expoetiatio K Safer-64 ad Logarithm K Safer-64 were evaluated. The evaluatio process used differet criteria, such as avalache, strict avalache ad bit idepedece. The results showed the domiace of the Ridael over the others. The s-boxes of AES, MARS, Sipac, Serpet ad Twofish ciphers were aalyzed based o two layers, amely, white box layer ad blac box layer [6]. The outcome Correspodig author's e-mail: ssaraireh@philadelphia.edu.o
07 Jorda Joural of Electrical Egieerig. All rights reserved - Volume 3, Number 5 of the aalysis showed that AES s-box is the most secure amog all s-boxes followed by MARS s-box ad Sipac s-box, respectively. I this paper, the diffusio ad cofusio properties of the proposed s-box are aalyzed i terms of the avalache, strict avalache, ad bit idepedet criteria for the diffusio aspects. Cofusio aspects are aalyzed i terms of the XOR table distributio ad liear approximatio table. It is show that the proposed s-box satisfies the cryptographic security properties above. The liftig scheme s-box is show i Fig.. Note that the symbol S i Fig. is deotig the iverse fuctio with affie trasform over GF(8, which is a oliear fuctio. The liftig scheme over GF(8 as show i Fig. ca be represeted mathematically by the followig equatios: a a y y x ( x S( a ( a S( a a S( x S( y ( ( (3 (4 where is a exclusive or (XOR operatio. The liftig scheme is used i the ecryptio side. Thus, it is ecessary to satisfy perfect recostructio i the decryptio side. This ca be carried out by a perfect recostructio liftig scheme, which eeds a small process arragemet as show i Fig.. The recostructio show i Fig. ca be represeted mathematically as follows: b y y b x y S( S( b b S( b x b S( x (5 (6 (7 (8 Fig.. Liftig scheme Fig.. Perfect recostructio liftig scheme
5 07 Jorda Joural of Electrical Egieerig. All rights reserved - Volume 3, Number II. BACKGROUND A. Avalache Criteria Avalache criterio was defied by Feistel [7]. It is cosidered oe of the most importat cryptographic properties of s-box. It is ecessary to certify that a small chage betwee two plaitexts gives a radom differece (avalache chage betwee two correspodig cipher texts. I order to satisfy avalache criteria, flippig a sigle bit of the iput value will result i half of the output bit values chage. For a cryptographic fuctio f x : Z Z plaitexts P ad P i be differet oly i bit i Pi P e (, there are differet iputs. Suppose that ( i, where e i is a vector with -bits ad a i positio i [8], the the outputs of P ad P i are f (P ad f ( P i ; the differece vector e i D is called the avalache vector which ca be computed as i (9. Its elemets are called the avalache variables [5]: e D i e e e e e f ( p f ( p [ i, d i, d i,......, d i ], d i i d Z 3 (9 The overall chage of the th avalache variable over the whole iput size ca be doe by taig ito accout all iput pairs P ad Pi which differ i the i th bit [5]: e i W ( d d PZ ei The cryptographic fuctio is said to satisfy the avalache criterio if for all i,,..., [5]: (0 AVAL ( i W ( a ei ( Normally, the AVAL (i taes values i the rage [0, ]. Accordig to (, AVAL (i is the calculatio of the probability of chage of the overall output bits whe oly the i th bit i the iput is altered. If AVAL (i is very close to oe half, the cryptographic fuctio satisfies the avalache criterio; otherwise it does ot. B. Strict Avalache Criterio (SAC Completeess ad avalache were oied ito a strict avalache criterio (SAC by Webster ad Tavares [9]. A cryptographic fuctio ad,,..., f x : Z Z ( satisfies SAC if for all i,,..., ; iput bit i chages output bit with a probability of exactly 0.5. I such a case, it is ecessary to separately satisfy each term of the summatio of (. This meas that for each i ad to satisfy, SAC should satisfy the followig equatio [5]: W ( a e i ( The SAC parameter ( SAC ( i, ca be defied as follows [5]:
07 Jorda Joural of Electrical Egieerig. All rights reserved - Volume 3, Number 53 SAC ei ( i, W ( a (3 It should be oted that SAC (i taes the values i the rage [0, ]; ad is cosidered as the calculatio of the probability of chage of the th output bit oce the i th bit i the iput is altered. The cryptographic fuctio satisfies the strict avalache criterio, if SAC (i is very close to 0.5; otherwise it does ot. If a cryptographic fuctio satisfies the SAC, the it also satisfies the completeess ad avalache criterio. However, if the cryptographic fuctio satisfies the completeess ad the avalache criterio, it does ot mea it should satisfy the SAC. C. Bit Idepedet Criterio (BIC Bit idepedet criterio was defied by Webster ad Tavares [9]. A cryptographic fuctio f x : Z Z ( satisfies bit idepedet criterio if for all i,,,,..., with ; chagig the iput bit i maes the output bits ad chage idepedetly [7]. I order to determie the bit idepedet criterio of a cryptographic fuctio, it eeds to calculate the correlatio coefficiet betwee the th ad th compoets of the avalache vector. The bit idepedece parameter is related to the result of chagig the iput bit i to the output bits ad of the avalache vector. It ca be calculated mathematically by [7]: BIC ei ( d, d max corr ( d i, d (4 The the BIC ca be calculated as follows [7]: BIC ( f max i,,, BIC ( d, d (5 The BIC taes a value i the rage [0, ]; the best value of BIC is equal to 0. While avalache variables are idepedet, BIC is i the worst case. The avalache variables are correlated. D. XOR Table Distributio I order to ivestigate the security of the bloc cipher agaist differetial cryptaalysis, which exploits the high values of the XOR table of s-boxes used by a bloc cipher, it is essetial to determie the XOR table distributio (differece distributio table of the s-box. The values i the XOR table should be as small as possible to avoid differetial cryptaalysis. The dimesio of the XOR table of a colums idices 0,,,..., s-box is a matrix [0], with rows ad. I order to implemet the XOR table distributio, assume that the iput vector is P ad chaged by P ; the the output differece is C ad give by: C f ( P f ( P P (6 where P Z ad m C Z. Now the XOR table distributio is give by [5]: XOR f ( P, C # { P f ( P f ( P P C } (7
54 07 Jorda Joural of Electrical Egieerig. All rights reserved - Volume 3, Number The etries of the XOR table always tae a eve value; the sum of all values i the row equals. I order to desig a secure ad strog bloc cipher, it is ecessary to have a secure s-box that satisfies the cofusio property, ad has small etries i its XOR table distributio. E. Liear Approximatio Table (LAT I order to evaluate the security of the bloc cipher agaist liear cryptaalysis, it is ecessary to determie the liear approximatio table which gives iformatio about the security of the s-box agaist liear cryptaalysis. Therefore, it is cosidered as a measure of resistace for the s-boxes agaist liear cryptaalysis. To avoid liear cryptaalysis, the values of the liear approximatio table should be as small as possible [4]. The dimesios of the liear approximatio table are the same as the XOR table distributio. It is matrix for a s-box; ad its rows ad colums idices are 0,,,..., To implemet the liear approximatio table, it is assumed that X is a iput of a s-box (S; Y is the output of the s-box Y S(X ; ad the liear approximatio table has its etry sittig at the X ' th row ad the Y' th colum, defied as [4]:. LAT ( X ', Y' #{ X Y' S( X X ' X} (8 where ( idicates the scalar or products of the vectors X ad X '. Basically, liear cryptaalysis exploits wea elemets of the liear approximatio table, whereas differetial cryptaalysis exploits the wea compoets of the XOR distributio table. For both tables, the wea elemet is the highest magitude elemet i the correspodig table. III. SIMULATION RESULTS AND DISCUSSION A. Avalache Criterio Geerally, if s-box ( is ot matched exactly, there will be some margial error, which is called a relative error iterval. This error should be very small ad the value of AVAL (i should be very close to 0.5; otherwise, the s-box does ot satisfy the avalache criteria. Cosequetly, the diffusio property is ot satisfied. The avalache criterio withi a error rage for all i is defied as follows [5]: ( i AVAL (9 The overall relative absolute error of s-box is calculated by [5]: AVAL AVAL max i AVAL ( i (0 For the proposed liftig s-box, the avalache criterio i ( is evaluated ad foud; ad the maximum relative absolute error is obtaied usig (0, where its value is 0.0083 compared with 0.035 for the s-box of Ridael [5]. Fig. 3 depicts the relative absolute error correspodig to the bit positio of the avalache vector for liftig scheme s-box.
07 Jorda Joural of Electrical Egieerig. All rights reserved - Volume 3, Number 55 Fig. 3. Relative absolute error versus bit positio of the avalache liftig scheme s-box B. Strict Avalache Criterio (SAC As metioed earlier, the satisfactio of completeess ad avalache criterio does ot mea there will be satisfactio of strict avalache criterio, but the reverse is true. Therefore, it is ecessary to ru the strict avalache criterio test to ivestigate the diffusio of the proposed liftig scheme s-boxes. The strict avalache criterio is cosidered a special case of the avalache criterio, as represeted i (. Thus, the error margi for the strict avalache criterio is more tha the error margi for the avalache criterio. Normally, the strict avalache criterio does ot satisfy (3 with exactly oe half, but there is some error margi. However, this error margi should be very small. The relative absolute error of the strict avalache criterio ( SAC is defied as follows [5]: SAC max i, SAC ( i, ( By applyig (3 ad (, the maximum relative absolute error of SAC for the liftig scheme s-box is foud to be 0.039, while it is 0.50 for Ridael [5]. The result deotes that the liftig scheme s-box satisfies both the SAC with a very small error margi ad the diffusio property. Fig. 4 shows 6 curves correspodig to iput differeces e, e, e3, e6. Fig. 4. Relative absolute error for SAC versus bit positio of the avalache vector for liftig scheme s-box
56 07 Jorda Joural of Electrical Egieerig. All rights reserved - Volume 3, Number C. Bit Idepedet Criterio (BIC The calculatio of BIC is differet from the calculatios of the avalache criterio ad SAC. The calculatio of BIC is based o calculatio of (4 to fid BIC ( f for the s-box, which is cosidered the maximum correlatio value betwee ay two avalache values. Therefore, the relative absolute error ( BIC is defied as follows [5]: BIC BIC( f ( It is foud to be 0.004 compared with 0.34 for the s-box of Ridael [5]. Fig. 5 correspods to the maximum relative absolute error for BIC of the liftig scheme s-box accordig to the avalache bit positio. Table summarizes the maximum relative errors for the liftig s-box ad Ridael s-box. The relative error values obtaied for the liftig s-box are very small; reflectig the high diffusio rate that the proposed s-box exhibits. Also, the relative error values for the proposed s-box are very small compared with the relative error values for the s-box of Ridael. This meas that the proposed s-box has a higher diffusio rate; as a result, more security ca be exhibited. Fig. 5. Relative absolute error for BIC versus bit positio of the avalache vector for the liftig scheme s-box TABLE MAXIMUM RELATIVE ERROR FOR THE LIFTING SCHEME S-BOX AND RIJNDAEL S-BOX AVAL SAC BIC Liftig Ridael [5] Liftig Ridael [5] Liftig Ridael [5] 0.0083 0.035 0.039 0.50 0.004 0.34 D. XOR Table Distributio To ivestigate the cofusio of the proposed liftig scheme s-box, determiatio of the XOR table distributio is required sice the s-box is the oly oliear compoet of a bloc cipher. The XOR table distributio evaluates the security of the bloc cipher agaist differetial cryptaalysis; ad is cosidered the first step towards examiig the stregth of the bloc
07 Jorda Joural of Electrical Egieerig. All rights reserved - Volume 3, Number 57 cipher agaist differetial cryptaalysis. From the XOR table distributio, desigers ca decide if the iteded s-box is suitable for their bloc ciphers or ot. The dimesio of the XOR distributio table of the s-box depeds o its iput; its etries are calculated usig (7. It should be oted that for the liftig scheme s-boxes, the dimesio of 6 6 the XOR distributio table depeds o the umber of iput bits for each brach. It is i the case of a 6 6 liftig scheme s-box. All the etries of the XOR distributio table should be as small as possible because differetial attacs exploit large values i the XOR distributio table i order to brea the cipher. It should be oted that whe the iput XOR equals zero, the output XOR will be zero for all pairs. Because it is impossible to have ay ozero value, the etry of the XOR table will be 6 i the case of 6 6 s-box. Also, all the values i the table are eve values; ad the sum of each lie equals 6 6 6 whe the dimesio of the XOR distributio table is. This meas that the summatio of each lie i the XOR table distributio depeds o the size of its s-box. For the proposed liftig scheme s-box, the maximum value i its XOR distributio table is by applyig (7. This value is very low ideed compared to the s-box size (6x6, resultig i a very small maximum differetial probability. E. Liear Approximatio Table (LAT The other table to be produced to examie the cofusio property of the proposed s-box is the liear approximatio table. The liear approximatio table evaluates the security of a bloc cipher agaist liear cryptaalysis. As metioed earlier, desigers ca use the XOR table distributio to decide o use of suitable s-boxes to couter differetial cryptaalysis. The liear approximatio table ca, however, be used by cryptographers to decide o use of suitable s-boxes to couter liear cryptaalysis. The dimesios of the liear approximatio table deped o the size of the s-box ad it is 6 6 for 6 6 liftig scheme s-box. The etries of the liear approximatio table are calculated by usig (8, the etries should be as small as possible to avoid liear cryptaalysis. If the iput subset is X ' =0; ad the output subset is Y ' 0, the etry to LAT cotais 3768 for a 6 6 liftig scheme s-box. Etries are zeros for all other output subsets. The maximum value obtaied i the liear approximatio table ( LAT is 90. This value is very low compared to the s-box size (6x6, resultig i a very small maximum liear probability. Maximum values i the XOR table distributio ad the liear approximatio table are very small compared to the s-box size; therefore, the proposed liftig scheme satisfies the cofusio property. Cosequetly, it is immue to liear ad differetial cryptaalysis. max IV. CONCLUSIONS The cryptographic properties of the liftig scheme s-box were evaluated ad compared with Ridael s-box. The results showed that the liftig s-box is domiat over Ridael s-box. It is cosidered as a strog s-box as it obeys the avalache criterio, SAC ad BIC with very small margial error. The maximum values i the XOR table distributio ad the liear approximatio table are also very small values compared with the s-box size. Therefore, the liftig scheme s-box supports the security ad scalability of the scalable filter ba bloc cipher.
58 07 Jorda Joural of Electrical Egieerig. All rights reserved - Volume 3, Number REFERENCES [] S. Saraireh ad M. Beaissa, "A scalable bloc cipher desig usig filter bas ad liftig over fiite fields," Proceedigs of IEEE Iteratioal Coferece o Commuicatios, pp. -5, 009. [] J. Daeme ad V. Rime, "AES proposal: Ridael, AES algorithm submissio," Produced by NIST Computer Security Resource Ceter, pp. -45, 999, http://csrc.ist.gov/archive/aes/ ridael/ridael-ammeded.pdf [3] Y. Borissov, P. Boyvaleov, ad R. Tseov, "Liear cryptaalysis ad modified DES with embedded parity chec i the s-boxes," Cryptography ad Iformatio Security, Lecture Notes i Computer Sciece, vol. 6, o. 9540, pp. 60-78, 06. [4] Y. Borissov, P. Boyvaleov, ad R. Tseov, "O a liear cryptaalysis of a family of modified DES ciphers with eve weight s-boxes," Cyberetics ad Iformatio Techologies, vol. 6, o 4, pp. 3-, 06. [5] S. Kavut ad M. Yücel, "O some cryptographic properties of Ridael," Lecture Notes i Computer Sciece: Iformatio Assurace i Computer Networs, Methods, Models ad Architectures for Networ Security, vol. 0, o. 05, pp. 300-3, 00. [6] A. Ahmad ad M. Farooq, "S-box scope: a meta s-box stregth evaluatio framewor for heterogeeous cofusio boxes," Proceedigs of Hawaii Iteratioal Coferece o System Scieces, pp 5545-5553, 06. [7] I. Vergili ad D. Mele, "Avalache ad bit idepedece properties for the esembles of radomly chose x s-boxes," Turish Joural of Electrical Egieerig ad Computer Scieces, vol. 9, o., pp. 37-45, 00. [8] K. Kim, T. Matsumoto, ad H. Imai, "A recursive costructio method of s-boxes satisfyig strict avalache criterio," Advaces i Cryptology, Lecture Notes i Computer Sciece, vol. 90, o. 537, pp. 545-553, 990. [9] A. Webster ad S. Tavares, "O the desig of s-boxes," Advaces i Cryptology, vol. 85, o. 8, pp. 53-534, 986. [0] E. Biham ad A. Shamir, "Differetial cryptaalysis of DES-lie cryptosystems," Joural. of Cryptology, vol. 4, o., pp. 3-7, 99.